Fraudsters need more than SINs to commit identity fraud, says experts

Canadians who have their social insurance numbers compromised such those affected by the breach of Canada Revenue Agency’s system by the Heartbleed bug can minimize their risk by taking steps to protect their credit and other personal information, security experts say.

The Canadian Anti-Fraud Centre says identity theft often occurs when fraudsters get their hands on multiple pieces of identification and use it to apply for credit.

“If all they have is the social insurance number on its own, it wouldn’t add to much,” said centre spokesman Dan Williams. “The vast majority of identity fraud, where suspects get cellphones, utilities, whatever, they have your name, date of birth and SIN.”

On Tuesday, the RCMP said it asked the Canada Revenue Agency to hold off on telling Canadians that 900 social insurance numbers were at risk due to Heartbleed, which led the agency to shut down its publicly accessible websites last week. A number of other federal departments also took their sites offline. All have since reopened.

The agency said those affected will be notified by registered letter and offered credit protection services. It’s unclear when the letters will be sent.

Williams said there is always a risk that someone’s personal information can get into the wrong hands.

“It’s something that happens, constantly,” he said. “As soon as ID is created, it’s vulnerable. No matter what, you can take your own personal step to really nail down your end of it but so much of it is beyond your control. It’s not worth stressing over, or being paranoid over because it could it happen.”

But those who want to minimize their risks should review their credit report at least once a year, and stay on top of their bills, by checking that all their charges are correct.

Williams said even in a worst-case scenario, it is rare that the victim is held liable for the fraudulent charges even if a fraudster is racks up to hundreds of thousands of dollars of debt on credit cards, cellphones or gains access to a bank account.

The centre said it has not received any public inquiries yet about the Heartbleed bug.

According to Service Canada, those who suspect someone is using their SIN should file a complaint with the police, contact the Canadian Anti-Fraud Centre for advice and ask for a free credit report with credit monitoring firms Equifax and TransUnion. In certain cases, it can issue a new SIN if there is proof that the number had been used fraudulently.

Equifax Canada said consumers can also have an alert put onto their credit account that asks a company when reviewing a new application to independently verify the identification that was given.

Since Monday, Equifax has received 90 inquiries from people worried about their SIN and the Heartbleed bug.

John Russo, the company’s vice-president, legal counsel and chief privacy officer, said having access to someone’s SIN is like having their birth certificate number or driver’s licence number.

“Having a SIN number to criminals is like having the keys to the candy jar,” he said. “You have that number, it’s uniquely identitifiable to you as an individual, and that’s why it’s so valuable to criminals.”

Russo said it could take weeks, or even years, for someone to repair the damage to their credit caused fraud. Many people don’t even realize they have been a victim until they are contacted by a collection agency about unpaid bills past 180 days.